Introduction
1. a) Why is it important for firms to understand the threat environment?
Until you understand the threats you face, you cannot defend yourself.
b) Name the three common security goals.
Confidentiality, integrity, and availability.
c) Briefly explain each.
Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network.
Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data.
Availability means that people who are authorized to use information are not prevented from doing so. Neither a computer attack nor a network attack will keep them away from the information they are authorized to access.
d) What is an incident?
When a threat succeeds in causing harm to a business, this is called an incident.
e) What are the synonyms for incidents?
Breaches or compromises.
f) What are countermeasures?
The methods companies use to thwart attacks are called countermeasures.
g) What are the synonyms for countermeasure?
Synonyms for countermeasures include safeguards, protections, or controls.
h) What are the goals of countermeasures?
To thwart attacks.
i) What are the three types of countermeasures?
Preventative, detective, and corrective.
2. a) Who were the victims in the TJX breach? (The answer is not in the text, and this is not a trivial question.)
The customers were the main victims. The banks that dealt with TJX also suffered because fines were leveled against them. Finally, TJX was a victim.
b) Was the TJX break-in due to a single security weakness or multiple security weaknesses? Explain.
There were multiple security weaknesses. To gain access, the thieves exploited poorly protected wireless LAN security. They were able to read traffic because TJX did not encrypt data traveling between its stores and data centers. When thieves then connected to TJX servers, they were able to exploit those servers.
c) Why would meeting the PCI-DSS control objectives probably have prevented the TJX data breach? This is not a trivial question.
Meeting the PCI-DSS control objectives probably would have prevented the TJX data breach because the PCI-DSS was set up to prevent the break-ins of this sort. The standard required control objectives that must be implemented by companies that accept credit card purchases, because companies of credit cards were already beginning to be breached. TJX only had 3 of the 12 required control objectives, which meant that it was very weak in security.
[PCI-DSS says that WEP should not be used in new installations after March 2009, and must be gone after March 2010. (4.1.1)]
d) Would meeting the PCI-DSS control objectives definitely have ensured that the data breach would not have occurred? Think about this carefully. The answer is not in the text.
Not necessarily. Most importantly, the PCI-DSS control objectives only described activities, not how well the activities were carried out.
e) Which of the CIA goals did TJX fail to achieve in this attack?
Of the three CIA goals, TJX primarily failed confidentiality (ensuring sensitive information cannot be read while traveling across a network).
3. a) Give four reasons why employees are especially dangerous.
(1) They have extensive knowledge of the IT systems.
(2) They often have access to sensitive parts of the system.
(3) They know corporate control mechanisms and so often know how to avoid detection.
(4) They are trusted by companies and can benefit from that trust when not following proper security protocol.
b) What type of employee is the most dangerous?
IT support personnel, and specifically IT security personnel, are the most dangerous employees
c) What is sabotage?
Sabotage is the destruction of hardware, software, or data.
d) Give the book’s definition of hacking.
Hacking is intentionally accessing a computer resource without authorization or in excess of authorization.
e) What is intellectual property?
Intellectual property (IP) is information owned by the company and protected by law.
f) What two types of things are employees likely to steal?
Money and trade secrets.
g) Distinguish between intellectual property in general and trade secrets.
IP includes formally protected information such as copyrights, patents, trade names, and trademarks. Trade secrets are pieces of sensitive information that a firm acts to keep secret.
h) What is extortion?
In extortion, the perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest.
i) What is employee computer and Internet abuse?
Abuse consists of activities that violate a company’s IT use policies or ethics policies.
j) Who besides employees constitute potential “internal” threats?
Many companies use contract employees that, although not employees of the company, often share many of the same access benefits.
4. a) What is malware? Malware is a generic term for “evil software.”
b) Distinguish between viruses and worms.
Viruses are programs that attach themselves to legitimate programs on the victim’s machine and are usually spread via e-mail messages. Worms are full programs that do not attach themselves to other programs and can propagate through the same mechanisms as viruses, but can also self-propagate, making them able to spread much faster.
c) How do most viruses spread between computers today?
Most viruses spread between computers via e-mail messages, but can also be spread through instant messaging, file sharing programs, downloading infected programs from a malicious website, or from “free software” and pornography downloaded by users.
d) Describe how directly propagating worms move between computers.
Direct-propagating worms jump directly to a computer that has vulnerabilities; they then use these computers to jump to other computers.
e) Why are directly propagating worms especially dangerous?
Direct-propagation requires no user action, so these worms can spread extremely rapidly.
f) What is a virus or worm payload?
Payloads are pieces of code that do damage. After propagating, mobile malware may execute a payload.
Trojan Horses and Rootkits
Test Your Understanding
5. a) How can nonmobile malware be delivered to computers?
It can be on webpages that users download.
b) What is a Trojan horse?
A Trojan horse is a program that hides itself by deleting a system file and taking on the system file’s name. Trojan horses are difficult to detect because they look like valid system files.
c) What is a RAT?
A RAT is a remote access Trojan. A RAT gives the attacker remote access control of your computer.
d) What is a downloader?
Downloader are usually small programs that, after installed, download a larger Trojan horse program capable of doing much more damage.
e) What is spyware?
Spyware refers to a broad spectrum of Trojan horse programs that gather information about you and make it available to an attacker.
f) Why can cookies be dangerous?
Cookies can record sensitive information about you and could become spyware.
g) Distinguish between keystroke loggers, password-stealing spyware, and data mining spyware.
Keystroke loggers capture all your keystrokes. Hackers then look through the keystroke log files to obtain usernames, passwords, SSNs, credit card numbers, and other sensitive information.
Password-stealing spyware tells you that you have been logged out of the server you are visiting and asks you to retype your username and password, which then gets sent on to the attacker.
Data mining spyware searches your hard drives for the same types of information captured by keystroke loggers and sends the information on to the attacker.
h) Distinguish between Trojan horses and rootkits.
Trojan horses replace legitimate programs. Rootkits take over the root account and use its privileges to hide themselves. They do this primarily by preventing their operating system’s file viewing methods from detecting their presence.
i) Why are rootkits especially dangerous?
Rootkits are especially dangerous because rootkits take over the root account to hide themselves from normal inspection and detection.
Mobile Code
Social Engineering in Malware
Test Your Understanding
6. a) What is mobile code?
Mobile code is code that executes on whatever machine downloads the webpage.
b) What is social engineering?
Social engineering attacks take advantage of flawed human judgment by convincing the victim to take actions that are counter to security policies.
c) What is spam?
Spam is unsolicited commercial e-mail.
d) What is phishing?
In phishing attacks, victims receive an e-mail message that appears to come from a bank or another firm with which the victim does business.
e) Distinguish between normal phishing and spear phishing.
Phishing uses e-mail messages that appear to come from banks or other valid firms and directs the user to go to an authentic-looking website or other ruse to obtain sensitive information from the victim. In contrast, spear phishing attacks are aimed at single individuals or small groups of individuals.
f) Why are hoaxes bad?
Hoaxes give false information. They may even try to persuade the victim to damage their own system.
Traditional External Attackers II: Hackers and Denial-of-Service Attacks
Traditional Motives
Test Your Understanding
7. a) What were the motivations of traditional external hackers?
Traditional external hackers were motivated by ego, the thrill of the break-in, and validation of their skills.
b) Did traditional external hackers engage in theft?
They often did.
Anatomy of a Hack
Test Your Understanding
8. a) Distinguish between IP address scanning and port scanning.
IP address scanning is used to determine the IP addresses of a firm’s network, primarily using ICMP Echo messages (aka pings). Port scanning determines which applications are either running or authorized on a specific host.
b) What is an exploit?
The specific attack method that the attacker uses to break into the computer is called the attacker’s exploit, and the act of implementing the exploit is called exploiting the host.
c) What does “owning” a computer mean?
Being able to do anything the attacker wishes on the computer.
d) What is IP address spoofing?
Sending packets with false IP source addresses.
e) Why is IP address spoofing done?
So that the attacker cannot determine the identity of the attacker.
f) When can an attacker not use IP address spoofing?
Attackers cannot use IP address spoofing when they are trying to read replies of probe packets.
g) When attackers must use valid IP source addresses in probe or exploit packets, how do they conceal their identities?
When attackers must use valid IP source addresses, they typically use chains of computers previously compromised by the attacker; the chain is best when it is 15 or more computers. The response packets from an attack will have to be tracked through the entire chain of compromised hosts, which is very difficult.
Social Engineering
Test Your Understanding
9. a) How can social engineering be used to get access to a sensitive file?
Simply asking for someone to send them the file or to give them access to the file.
b) What is piggybacking?
Following someone through the door to a secure area without authenticating oneself.
c) What is shoulder surfing?
Watching someone type their password in order to learn the password.
d) What is pretexting?
In pretexting, an attacker calls claiming to be a certain person in order to ask for private information about that person.
Denial-of-Service (DoS) Attacks
Test Your Understanding
10. a) What is a DoS attack?
A denial-of-service attack attempts to make a server or network unavailable to serve legitimate users by flooding it with attack packets.
b) Describe a DDoS attack.
In a typical DDoS, an attacker controls many computers with bots. The attacker (botmaster) sends the bots a command to attack. All the bots then send the victim a flood of attack packets.
c) Describe a SYN flooding attack in some detail.
In a TCP SYN flooding attack, an attacker users bots to flood a server with TCP connection-opening (SYN) requests. A server reserves a certain amount of capacity each time it receives a SYN segment. Flooding a server with SYN segments can cause the server to run out of resources and crash or be unable to open valid requests. A SYN flood can shut down an entire network if strong enough.
d) Why do many botnets have multiple owners over time?
Typically, a botmaster will use the botnet for his or her purpose, and then sell the botnet to someone else.
Skill Levels
Test Your Understanding
11. a) What are the two primary characteristics of skilled hackers?
Expert hackers are characterized by strong technical skills and dogged persistence.
b) Why are script kiddies dangerous? (Give two reasons.)
Script kiddies are dangerous because of their sheer numbers and because their many attacks make it difficult to recognize the few attacks that are highly sophisticated.
c) Why are malware and exploit toolkits expanding the danger of script kiddies?
They are making it much easier for script kiddies to act.
The Criminal Era
Dominance by Career Criminals
Test Your Understanding
12. a) What is the dominant type of attacker today?
The career criminal.
b) Is cybercrime negligible today compared to noncomputer crime?
No. According to the U.S. Treasury Department, cybercrime proceedings surpassed those from illegal drug sales in 2005.
c) Why are international gangs difficult to prosecute?
It is difficult to prosecute someone in another country.
d) Why do international gangs use transshippers?
International gangs use transshippers in the United States because many online sellers will not ship to addresses outside of the United States.
e) How do they use transshippers?
Transshippers receive shipped goods at U.S. offices and then ship them to the criminal gang in another country.
f) How do they use money mules?
Money mules transfer foreign money into U.S. money and vice versa for a small fee.
Fraud, Theft, and Extortion
Test Your Understanding
13. a) What is fraud? Be specific.
In fraud, the attacker deceives the victim into doing something against the firm’s security policy.
b) What is click fraud?
In webpage advertising, a webpage owner posts an electronic advertisement. If a visitor clicks on it, this takes the visitor to a sponsor website. The sponsor website pays a small fee to the webpage owner. In click fraud, the webpage owner writes a program to “click” repeatedly on the ad and go to the sponsor website. This gives the webpage owner unearned money.
c) How do criminals engage in online extortion?
Computer extortionists threaten to do at least temporary harm to the victim company’s IT infrastructure unless the victim pays the attacker.
Stealing Sensitive Data about Customers and Employees
Test Your Understanding
14. a) What is carding?
Carding is stealing credit card numbers.
b) Describe bank account theft and online stock account theft.
In bank account theft, the attacker controls the victim’s bank account and withdraws money.
In online stock account theft, the attacker takes over the victim’s online stock account and withdraws money.
c) Distinguish between credit card theft and identity theft.
Credit card theft gives criminals access to that credit card. Identity theft is much worse as it allows the criminal to impersonate the victim sufficiently to engage in large financial transactions, such as taking out large loans or making large purchases in the name of the victim.
d) Why is identity theft more serious than credit card number theft?
Identity theft can cause victims massive damages because the thieves are able to use the victim’s information to take out large loans.
e) How do criminals usually get the information they need for credit card theft and identity theft?
Traditionally, they got the information physically, say by copying the credit card account numbers of someone visiting a merchant that has a dishonest employee. Computer credit card and identity theft has been able to get information on large numbers of people very quickly.
f) How can companies be harmed if they allow personal information in their control to be stolen?
Companies that allow personal information in their control to be stolen can receive significant backlash from customers and investors. The firms can be subject to government fines, lawsuits, increased costly audits and regulation, and the possibility of having to fire managers and other key employees.
g) What is corporate identity theft?
When someone impersonates a corporation and carries out business transactions in the name of the company.
Test Your Understanding
15. a) Distinguish between public intelligence gathering and trade secret espionage.
Public intelligence gathering takes advantage of publicly available information to get information about a company.
Trade secret espionage consists of obtaining trade secret information that the company takes reasonable measures to protect.
b) What must a company do to its trade secrets if it wishes to be able to prosecute people or companies who steal it?
It must take reasonable precautions.
c) How strong do those protections have to be?
They must be reasonable.
d) Who is likely to engage in espionage against a firm?
Corporate competitors and national governments (see cyberwar).
Cyberwar and Cyberterror
Cyberwar
Cyberterror
Test Your Understanding
16. a) Distinguish between cyberwar and cyberterror.
In cyberwar, attacks are made by national governments.
In cyberterror, attacks are made by terrorists.
b) How can countries use cyberwar attacks?
Countries can engage in espionage before a war, damaging the enemy’s financial infrastructure, disrupting the enemy’s communication infrastructure, and engaging in propaganda attacks.
c) How can terrorists use IT?
Terrorists can damage a country’s financial, utilities, and IT infrastructure. They can recruit members. They can make physical attacks more confusing by damaging the communications infrastructure. They can turn to computer crime to finance their terrorism.
A Constantly Changing Threat Environment
Test Your Understanding
17. In what three broad ways is the threat environment likely to change in the future?
New attacks appear continuously and grow explosively.
Attackers are humans and continually analyze and create means to defeat countermeasures.
Attacks will grow more sophisticated and severe.
1. a) Why is it important for firms to understand the threat environment?
Until you understand the threats you face, you cannot defend yourself.
b) Name the three common security goals.
Confidentiality, integrity, and availability.
c) Briefly explain each.
Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network.
Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data.
Availability means that people who are authorized to use information are not prevented from doing so. Neither a computer attack nor a network attack will keep them away from the information they are authorized to access.
d) What is an incident?
When a threat succeeds in causing harm to a business, this is called an incident.
e) What are the synonyms for incidents?
Breaches or compromises.
f) What are countermeasures?
The methods companies use to thwart attacks are called countermeasures.
g) What are the synonyms for countermeasure?
Synonyms for countermeasures include safeguards, protections, or controls.
h) What are the goals of countermeasures?
To thwart attacks.
i) What are the three types of countermeasures?
Preventative, detective, and corrective.
2. a) Who were the victims in the TJX breach? (The answer is not in the text, and this is not a trivial question.)
The customers were the main victims. The banks that dealt with TJX also suffered because fines were leveled against them. Finally, TJX was a victim.
b) Was the TJX break-in due to a single security weakness or multiple security weaknesses? Explain.
There were multiple security weaknesses. To gain access, the thieves exploited poorly protected wireless LAN security. They were able to read traffic because TJX did not encrypt data traveling between its stores and data centers. When thieves then connected to TJX servers, they were able to exploit those servers.
c) Why would meeting the PCI-DSS control objectives probably have prevented the TJX data breach? This is not a trivial question.
Meeting the PCI-DSS control objectives probably would have prevented the TJX data breach because the PCI-DSS was set up to prevent the break-ins of this sort. The standard required control objectives that must be implemented by companies that accept credit card purchases, because companies of credit cards were already beginning to be breached. TJX only had 3 of the 12 required control objectives, which meant that it was very weak in security.
[PCI-DSS says that WEP should not be used in new installations after March 2009, and must be gone after March 2010. (4.1.1)]
d) Would meeting the PCI-DSS control objectives definitely have ensured that the data breach would not have occurred? Think about this carefully. The answer is not in the text.
Not necessarily. Most importantly, the PCI-DSS control objectives only described activities, not how well the activities were carried out.
e) Which of the CIA goals did TJX fail to achieve in this attack?
Of the three CIA goals, TJX primarily failed confidentiality (ensuring sensitive information cannot be read while traveling across a network).
3. a) Give four reasons why employees are especially dangerous.
(1) They have extensive knowledge of the IT systems.
(2) They often have access to sensitive parts of the system.
(3) They know corporate control mechanisms and so often know how to avoid detection.
(4) They are trusted by companies and can benefit from that trust when not following proper security protocol.
b) What type of employee is the most dangerous?
IT support personnel, and specifically IT security personnel, are the most dangerous employees
c) What is sabotage?
Sabotage is the destruction of hardware, software, or data.
d) Give the book’s definition of hacking.
Hacking is intentionally accessing a computer resource without authorization or in excess of authorization.
e) What is intellectual property?
Intellectual property (IP) is information owned by the company and protected by law.
f) What two types of things are employees likely to steal?
Money and trade secrets.
g) Distinguish between intellectual property in general and trade secrets.
IP includes formally protected information such as copyrights, patents, trade names, and trademarks. Trade secrets are pieces of sensitive information that a firm acts to keep secret.
h) What is extortion?
In extortion, the perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest.
i) What is employee computer and Internet abuse?
Abuse consists of activities that violate a company’s IT use policies or ethics policies.
j) Who besides employees constitute potential “internal” threats?
Many companies use contract employees that, although not employees of the company, often share many of the same access benefits.
4. a) What is malware?
Malware is a generic term for “evil software.”
b) Distinguish between viruses and worms.
Viruses are programs that attach themselves to legitimate programs on the victim’s machine and are usually spread via e-mail messages. Worms are full programs that do not attach themselves to other programs and can propagate through the same mechanisms as viruses, but can also self-propagate, making them able to spread much faster.
c) How do most viruses spread between computers today?
Most viruses spread between computers via e-mail messages, but can also be spread through instant messaging, file sharing programs, downloading infected programs from a malicious website, or from “free software” and pornography downloaded by users.
d) Describe how directly propagating worms move between computers.
Direct-propagating worms jump directly to a computer that has vulnerabilities; they then use these computers to jump to other computers.
e) Why are directly propagating worms especially dangerous?
Direct-propagation requires no user action, so these worms can spread extremely rapidly.
f) What is a virus or worm payload?
Payloads are pieces of code that do damage. After propagating, mobile malware may execute a payload.
Trojan Horses and Rootkits
Test Your Understanding
5. a) How can nonmobile malware be delivered to computers?
It can be on webpages that users download.
b) What is a Trojan horse?
A Trojan horse is a program that hides itself by deleting a system file and taking on the system file’s name. Trojan horses are difficult to detect because they look like valid system files.
c) What is a RAT?
A RAT is a remote access Trojan. A RAT gives the attacker remote access control of your computer.
d) What is a downloader?
Downloader are usually small programs that, after installed, download a larger Trojan horse program capable of doing much more damage.
e) What is spyware?
Spyware refers to a broad spectrum of Trojan horse programs that gather information about you and make it available to an attacker.
f) Why can cookies be dangerous?
Cookies can record sensitive information about you and could become spyware.
g) Distinguish between keystroke loggers, password-stealing spyware, and data mining spyware.
Keystroke loggers capture all your keystrokes. Hackers then look through the keystroke log files to obtain usernames, passwords, SSNs, credit card numbers, and other sensitive information.
Password-stealing spyware tells you that you have been logged out of the server you are visiting and asks you to retype your username and password, which then gets sent on to the attacker.
Data mining spyware searches your hard drives for the same types of information captured by keystroke loggers and sends the information on to the attacker.
h) Distinguish between Trojan horses and rootkits.
Trojan horses replace legitimate programs. Rootkits take over the root account and use its privileges to hide themselves. They do this primarily by preventing their operating system’s file viewing methods from detecting their presence.
i) Why are rootkits especially dangerous?
Rootkits are especially dangerous because rootkits take over the root account to hide themselves from normal inspection and detection.
Mobile Code
Social Engineering in Malware
Test Your Understanding
6. a) What is mobile code?
Mobile code is code that executes on whatever machine downloads the webpage.
b) What is social engineering?
Social engineering attacks take advantage of flawed human judgment by convincing the victim to take actions that are counter to security policies.
c) What is spam?
Spam is unsolicited commercial e-mail.
d) What is phishing?
In phishing attacks, victims receive an e-mail message that appears to come from a bank or another firm with which the victim does business.
e) Distinguish between normal phishing and spear phishing.
Phishing uses e-mail messages that appear to come from banks or other valid firms and directs the user to go to an authentic-looking website or other ruse to obtain sensitive information from the victim. In contrast, spear phishing attacks are aimed at single individuals or small groups of individuals.
f) Why are hoaxes bad?
Hoaxes give false information. They may even try to persuade the victim to damage their own system.
Traditional External Attackers II: Hackers and Denial-of-Service Attacks
Traditional Motives
Test Your Understanding
7. a) What were the motivations of traditional external hackers?
Traditional external hackers were motivated by ego, the thrill of the break-in, and validation of their skills.
b) Did traditional external hackers engage in theft?
They often did.
Anatomy of a Hack
Test Your Understanding
8. a) Distinguish between IP address scanning and port scanning.
IP address scanning is used to determine the IP addresses of a firm’s network, primarily using ICMP Echo messages (aka pings). Port scanning determines which applications are either running or authorized on a specific host.
b) What is an exploit?
The specific attack method that the attacker uses to break into the computer is called the attacker’s exploit, and the act of implementing the exploit is called exploiting the host.
c) What does “owning” a computer mean?
Being able to do anything the attacker wishes on the computer.
d) What is IP address spoofing?
Sending packets with false IP source addresses.
e) Why is IP address spoofing done?
So that the attacker cannot determine the identity of the attacker.
f) When can an attacker not use IP address spoofing?
Attackers cannot use IP address spoofing when they are trying to read replies of probe packets.
g) When attackers must use valid IP source addresses in probe or exploit packets, how do they conceal their identities?
When attackers must use valid IP source addresses, they typically use chains of computers previously compromised by the attacker; the chain is best when it is 15 or more computers. The response packets from an attack will have to be tracked through the entire chain of compromised hosts, which is very difficult.
Social Engineering
Test Your Understanding
9. a) How can social engineering be used to get access to a sensitive file?
Simply asking for someone to send them the file or to give them access to the file.
b) What is piggybacking?
Following someone through the door to a secure area without authenticating oneself.
c) What is shoulder surfing?
Watching someone type their password in order to learn the password.
d) What is pretexting?
In pretexting, an attacker calls claiming to be a certain person in order to ask for private information about that person.
Denial-of-Service (DoS) Attacks
Test Your Understanding
10. a) What is a DoS attack?
A denial-of-service attack attempts to make a server or network unavailable to serve legitimate users by flooding it with attack packets.
b) Describe a DDoS attack.
In a typical DDoS, an attacker controls many computers with bots. The attacker (botmaster) sends the bots a command to attack. All the bots then send the victim a flood of attack packets.
c) Describe a SYN flooding attack in some detail.
In a TCP SYN flooding attack, an attacker users bots to flood a server with TCP connection-opening (SYN) requests. A server reserves a certain amount of capacity each time it receives a SYN segment. Flooding a server with SYN segments can cause the server to run out of resources and crash or be unable to open valid requests. A SYN flood can shut down an entire network if strong enough.
d) Why do many botnets have multiple owners over time?
Typically, a botmaster will use the botnet for his or her purpose, and then sell the botnet to someone else.
Skill Levels
Test Your Understanding
11. a) What are the two primary characteristics of skilled hackers?
Expert hackers are characterized by strong technical skills and dogged persistence.
b) Why are script kiddies dangerous? (Give two reasons.)
Script kiddies are dangerous because of their sheer numbers and because their many attacks make it difficult to recognize the few attacks that are highly sophisticated.
c) Why are malware and exploit toolkits expanding the danger of script kiddies?
They are making it much easier for script kiddies to act.
The Criminal Era
Dominance by Career Criminals
Test Your Understanding
12. a) What is the dominant type of attacker today?
The career criminal.
b) Is cybercrime negligible today compared to noncomputer crime?
No. According to the U.S. Treasury Department, cybercrime proceedings surpassed those from illegal drug sales in 2005.
c) Why are international gangs difficult to prosecute?
It is difficult to prosecute someone in another country.
d) Why do international gangs use transshippers?
International gangs use transshippers in the United States because many online sellers will not ship to addresses outside of the United States.
e) How do they use transshippers?
Transshippers receive shipped goods at U.S. offices and then ship them to the criminal gang in another country.
f) How do they use money mules?
Money mules transfer foreign money into U.S. money and vice versa for a small fee.
Fraud, Theft, and Extortion
Test Your Understanding
13. a) What is fraud? Be specific.
In fraud, the attacker deceives the victim into doing something against the firm’s security policy.
b) What is click fraud?
In webpage advertising, a webpage owner posts an electronic advertisement. If a visitor clicks on it, this takes the visitor to a sponsor website. The sponsor website pays a small fee to the webpage owner. In click fraud, the webpage owner writes a program to “click” repeatedly on the ad and go to the sponsor website. This gives the webpage owner unearned money.
c) How do criminals engage in online extortion?
Computer extortionists threaten to do at least temporary harm to the victim company’s IT infrastructure unless the victim pays the attacker.
Stealing Sensitive Data about Customers and Employees
Test Your Understanding
14. a) What is carding?
Carding is stealing credit card numbers.
b) Describe bank account theft and online stock account theft.
In bank account theft, the attacker controls the victim’s bank account and withdraws money.
In online stock account theft, the attacker takes over the victim’s online stock account and withdraws money.
c) Distinguish between credit card theft and identity theft.
Credit card theft gives criminals access to that credit card. Identity theft is much worse as it allows the criminal to impersonate the victim sufficiently to engage in large financial transactions, such as taking out large loans or making large purchases in the name of the victim.
d) Why is identity theft more serious than credit card number theft?
Identity theft can cause victims massive damages because the thieves are able to use the victim’s information to take out large loans.
e) How do criminals usually get the information they need for credit card theft and identity theft?
Traditionally, they got the information physically, say by copying the credit card account numbers of someone visiting a merchant that has a dishonest employee. Computer credit card and identity theft has been able to get information on large numbers of people very quickly.
f) How can companies be harmed if they allow personal information in their control to be stolen?
Companies that allow personal information in their control to be stolen can receive significant backlash from customers and investors. The firms can be subject to government fines, lawsuits, increased costly audits and regulation, and the possibility of having to fire managers and other key employees.
g) What is corporate identity theft?
When someone impersonates a corporation and carries out business transactions in the name of the company.
Competitor Threats
Commercial Espionage
Denial-of-Service Attacks
Test Your Understanding
15. a) Distinguish between public intelligence gathering and trade secret espionage.
Public intelligence gathering takes advantage of publicly available information to get information about a company.
Trade secret espionage consists of obtaining trade secret information that the company takes reasonable measures to protect.
b) What must a company do to its trade secrets if it wishes to be able to prosecute people or companies who steal it?
It must take reasonable precautions.
c) How strong do those protections have to be?
They must be reasonable.
d) Who is likely to engage in espionage against a firm?
Corporate competitors and national governments (see cyberwar).
Cyberwar and Cyberterror
Cyberwar
Cyberterror
Test Your Understanding
16. a) Distinguish between cyberwar and cyberterror.
In cyberwar, attacks are made by national governments.
In cyberterror, attacks are made by terrorists.
b) How can countries use cyberwar attacks?
Countries can engage in espionage before a war, damaging the enemy’s financial infrastructure, disrupting the enemy’s communication infrastructure, and engaging in propaganda attacks.
c) How can terrorists use IT?
Terrorists can damage a country’s financial, utilities, and IT infrastructure. They can recruit members. They can make physical attacks more confusing by damaging the communications infrastructure. They can turn to computer crime to finance their terrorism.
A Constantly Changing Threat Environment
Test Your Understanding
17. In what three broad ways is the threat environment likely to change in the future?
New attacks appear continuously and grow explosively.
Attackers are humans and continually analyze and create means to defeat countermeasures.
Attacks will grow more sophisticated and severe.